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CLAIMS 

1. An Application Gateway Module (2) suitable for use in a 
telecommunication system wherein a service network (2 0) 
authenticates a user (1; 9) and authorises the user for 
5 accessing a service (5; 6) offered by a service provider 

(30), the Application Gateway Module (2) arranged for 
intercepting (1-2, 1-4; I-2x, I-4x) application messages 
between the user and the service and for identifying said 
user and said service, and including: 

10 - means for obtaining an authorisation decision (1-3; T- 

3x) on whether the user is allowed to access the 
service ; 

the Application Gateway Module (2) characterised Toy 

comprising: 

15 - means for assigning a service session identifier 

(Service_Context_ID) intended to identify those 
application messages exchanged between the user and 
the service and that belong to a same service delivery 
authorised for said user; 

20 - means for configuring a first finite-state machine 

(SCSM) with a number of status intended to identify 
specific events in service delivery where service 
progression can be controlled; and 

- means for activating service policies (SP) applicable 
25 to said specific events and resulting in a state 

transition. 

2. The Application Gateway Module of claim 1, wherein the 
means for assigning a service session identifier 
(Service_Context_ID) include means for initiating a 
30 specific instance of the first finite-state machine 
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(SCSM), said specific instance being identified by the 
assigned service session identifier (Service_Context_ID) . 

3. The Application Gateway Module of claim 2, wherein the 
means for activating service policies (SF) include means 

5 for setting at least one element selected from a non- 

exhaustive list of references and attributes that 
comprises: a number of message field values to match, a 
number of specific actions to carry out on matching, a 
number of timer values to run, and a number of 

10 transactions to supervise. 

4. The Application Gateway Module of claim 2, wherein the 
means for activating service policies (SF) include means 
for activating a global service policy independently of 
any service delivery in progress. 

15 5. The Application Gateway Module of claim 2, wherein the 
means for activating service policies (SF) include means 
for initiating an instance of a global service policy to 
apply as an individual service policy within a specific 
instance of the first finite-state machine (SCSM) , the 

20 individual service policy inheriting references and 

attributes from the global service policy. 

6. The Application Gateway Module of claim 5, further 
comprising means for overwriting references and 
attributes of an individual service policy with new 

25 references and attributes during a service progression 

handled within a specific instance of the first finite- 
state machine (SCSM) . 

7. The Application Gateway Module of claim 5, wherein a 
particular state is associated with a number of 

30 individual service policies (SF-31; SF-32) within a 

specific instance of the first finite-state machine 
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(SCSM) , said instance identified by a given service 
session identifier (Service__Context_ID) . 

8. The Application Gateway Module of claim 2, wherein the 
means for obtaining an authorisation decision include 

5 means for requesting a service authorisation from an 

Authorisation Module (3) as claimed in claim 15. 

9. The Application Gateway Module of claim 8, wherein the 
means for activating service policies (SF) include means 
for receiving from the Authorisation Module (3) at least 

10 one element applicable to set a service policy, the 

element selected from a non- exhaustive list of references 
and attributes that comprises: a number of message field 
values to match, a number of specific actions to carry 
out on matching, a number of timer values to run, and a 

15 number of transactions to supervise, 

10. The Application Gateway Module of claim 8, wherein the 
means for activating service policies (SF) includes means 
for receiving a global service policy from the 
Authorisation Module (3) . 

20 11. The Application Gateway Module of claim 8, further 
comprising means for receiving references and attributes 
from the Authorisation Module (3) applicable to overwrite 
an individual service policy with new references and 
attributes during a service progression handled within a 

25 specific instance of the first finite-state machine 

(SCSM) . 

12. The Application Gateway Module of claim 8, further 
comprising means for notifying to the Authorisation 
Module (3) a specific event in service progression. 

30 13. The Application Gateway Module of claim 8, further 
comprising means for requesting from the Authorisation 
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Module (3) a further processing to determine an 
appropriate action to go on with the service progression. 

14. " The Application Gateway Module of claim 13, further 

comprising means for receiving from the Authorisation 
5 Module (3) an instruction selected from: access granted 

without restriction, another service (serviceTER) to 
substitute a previous service requested (serviceBIS) , 
forced logout, and indication of a state transition.. 

15. An Authorisation Module (3) suitable for use in a 
10 telecommunication system wherein a service network (20) 

authenticates a user (1; 9) and authorises the user for 
accessing a service (5; 6) offered by a service provider 
(30), the Authorisation Module arranged for deciding 
whether a user (1; 9) is allowed to access a service (5; 
15 6) and having: 

- means for receiving a service authorisation request 
(S-511) from an Application Gateway Module (2) as 
claimed in claim 1; and 

- means for returning back to the Application Gateway 
20 Module (2) a response on whether the user (1; 9) is 

granted access to the requested service (5; 6); 

the Authorisation Module (3) characterised by comprising: 

- means for generating a service session identifier 
(Service_Context_ID) intended' to correlate those 

25 application messages exchanged between the user and 

the service and that belong to a same service delivery 
authorised for said user; 

- means for configuring a second finite-state machine 
(SPSM) with a number of status intended to identify 

30 specific events in service progression where the 
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Authorisation Module can act over the Application 
Gateway Module to control the service progression; and 

- means for determining service policies (SF) applicable 
to said specific events and resulting in a state 
5 transition. 

16. The Authorisation Module of claim 15, wherein the means 
for generating a service session identifier 
(Service_Context_ID) comprise means for including said 
service session identifier (Service_Context_ID) in the 

10 response (S-512) to be returned to the Applica-tion 

Gateway Module (2) on whether the user (1; 9) is granted 
access to the requested service (5; 6) . 

17. The Authorisation Module of claim 16, wherein the means 
for generating a service session identi f ier 

15 (Service_Context_ID) includes means for initiating a 

specific instance of the second finite-state macliine 
(SPSM) , said specific instance being identified by said 
service session identifier (Service_Context__ID) . 

18. The Authorisation Module of claim 17, wherein a 
20 particular state is associated with a number of service 

policies within a specific instance of the second finite- 
state machine (SPSM) , said instance identified by a given 
service session identifier (Service_Context_ID) . 

19. The Authorisation Module of claim 15, wherein the means 
25 for determining service policies (SF) comprise means for 

including in the response (S-512) towards the Applica-tion 
Gateway Module (2) at least one information element to 
activate a service policy (SF-2) within a specific state 
in the Application Gateway Module, said at least one 
30 information element selected from a non- exhaustive list 

of references and attributes that comprises: 
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- a number of message field values (Analyse-Inf o-SF- 
value; Logout-SF-value) to match; 

- a set of actions to carry out on matching a given 
message field value; 

5 - a number of new timer values (Timeout-value) to run; 

and 

- a number of transactions to supervise. 

20. The Authorisation Module of claim 19, wherein the means 
for including in the response (S-512) towards the 

10 Application Gateway Module (2) at least one information 

element to activate a service policy include means for 
indicating that this is a global service policy to apply 
independently of any service delivery in progress. 

21. The Authorisation Module of claim 16, further comprising 
15 means for receiving a notification, from an Application 

Gateway Module (2) as claimed in claim 1, indicating a 
specific event detected in service progression. 

22. The Authorisation Module of claim 16, further comprising 
means for receiving a request, from an Application 

20 Gateway Module (2) as claimed in claim 1, asking for an 

instruction to proceed with a service progression. 

23. The Authorisation Module of claim 22, further comprising 
means for sending towards the Application Gateway Module 
(2) an instruction selected from: access granted without 

25 restriction, another service (serviceTER) to substitute a 

previous service requested (serviceBIS) , forced logout, 
and indication of a state transition. 

24. The Authorisation Module of claim 16, further comprising 
means for receiving an application message (I-7x; I-8x) 

30 from at least one entity selected from a number of 
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application servers (7; 8) and provisioning systems, the 
application message including a given service session 
identifier (Service_Context_ID) intended to identify a 
specific instance of the second finite-state machine 
5 (SPSM) in the Authorisation Module (3). 

25. A method for authorising a user (1; 9) of a service 
network (2 0) to access a service offered by a service 
server (5; 6) of a service provider (30) , the user (1; 9) 
already authenticated by the service network, the server 
10 (5; 6) arranged to deliver a service that comprises a 

plurality of transactions by exchanging- a plurality of 
application messages with the user (1; 9), the method 
comprising a step of: 

- obtaining a first authorisation decision (1-3; I-3x) 
15 on whether the user, is allowed to access the service; 

the method characterised by comprising ttie steps of: 

- generating and assigning a service session identifier 
(Service_Context_ID) intended to identify those 
application messages exchanged between the user and 

20 the service and that belong to a same service delivery 

authorised for said user; 

- configuring at least one finite-state machine (SCSM; 
SPSM) with a number of status intended to identify 
specific events in service delivery where service 

25 progression can be controlled; and 

- activating service policies (SF) applicable to said 
specific events and resulting in a state transition. 

26. The method of claim 25, wherein the step of generating 
and assigning a service session identifier 
30 (Service_Context_ID) includes a step of initiating a 
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specific instance of the at least one finite-state 
machine (SPSM; SCSM) , said specific instance being 
identified by the assigned service session identifier 
(Service_Context_ID) . 

5 27. The method of claim 26, wherein a particular state within 
the specific instance of the at least one finite-state 
machine (SCSM; SPSM) is associated with a number of 
service policies (SF-1; SF-2; SF-31; SF-32).. 

28. The method of claim 25, wherein the step of activating 
service policies (SF) includes a step of setting at least 
one element selected from a non- exhaustive list of 
references and attributes that comprises: a number of 
message field values to match, a number of specific 
actions to carry out on matching, a number of timer 
values to run, and a number of transactions to supervise. 

29. The method of claim 25, further comprising a step of 
receiving at the service network (20) an application 
message originated at an entity selected from: a number 
of service servers (5; 6) of a service provider (30) and 

20 a number of entities of a provisioning system, the 

application message i including a given service session 
identifier (Service___Context_ID) intended to identify a 
specific instance of the at least one finite-state 
machine (SCSM; SPSM) . 

30. The method of claim 25, wherein the step of configuring 
at least one finite-state machine comprises a step of 
configuring a first finite-state machine (SCSM) in an 
Application Gateway Module (2) as claimed in claim 1, and 
a step of configuring a second finite-state machine 
(SPSM) in an Authorisation Module (3) as claimed in claim 
15. 
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